Solved

Can't remove malware: VirusRemover2008

Posted on 2008-11-01
21
1,072 Views
Last Modified: 2012-05-05
Have managed to get VirusRemover2008 on my PC.  Can't find much about it on the net.  It issues lots of fake warning in an attempt to get you to buy the product.  I can boot into safe mode but system restore will not work?  I can get on the net but can't get to some potentially helpful sites (windows update, trend micro housecall).  A google search shows a hit with removal instruction on BleepingComputer.com but the link fails.  AdAware will not update??  Could this malware be that "intelligent."  Any help would be greatly appreciated.
0
Comment
Question by:cwilliambrown
  • 9
  • 8
  • 2
  • +1
21 Comments
 
LVL 35

Assisted Solution

by:torimar
torimar earned 150 total points
ID: 22856450
You can use Malwarebyte's Anti-Malware to remove it:
http://www.malwarebytes.org/mbam.php

More instructions can be found here:
http://www.bleepingcomputer.com/malware-removal/virusremover2008-removal
0
 
LVL 35

Expert Comment

by:torimar
ID: 22856452
Once done, run a security scan with HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Have it create a logfile, but not fix anything. Then post the logfile here as an attachment.
0
 
LVL 35

Expert Comment

by:torimar
ID: 22856474
Sorry, did not realize that you said the bleepingcomputers-link didn't work for you. It works fine for me.

Also, check out the very detailed instructions by rpggamergirl in this EE thread:
http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/Q_23704670.html

(Following them, however, may only be necessary if after running MBAM you still experience strange problems that seem to be malware-related.)
0
 
LVL 23

Accepted Solution

by:
phototropic earned 200 total points
ID: 22857756
Try re-setting your hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

I would also run Smitfraudfix:

http://siri.geekstogo.com/SmitfraudFix.php

Run option 2 in safe mode.  Post the log.

If you still have problems after that, download and run SDFix:

http://www.bleepingcomputer.com/files/sdfix.php

Good luck!!!
0
 
LVL 3

Author Comment

by:cwilliambrown
ID: 22870705
Malware Bytes appears to have fixed it.  I can also access Windows Updates and update my other Spyware/Malware applications, as well as run TrendMicro's Housecall again.  Do you think VirusRemover2008 was doing all that?  It seems to big of a coincidence for it not to have been the cause.  On the other hand, if it was, it is also the "cleverest" malware I have run across in a long time!
0
 
LVL 23

Expert Comment

by:phototropic
ID: 22872433
Please could you post the Mbam log?

Thanks.

0
 
LVL 3

Author Comment

by:cwilliambrown
ID: 22877059
Sure... please let me know if you think the VirusRemover2008 could have been doing all the things I mentioned!

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

11/1/2008 12:07:52 PM
mbam-log-2008-11-01 (12-07-52).txt

Scan type: Quick Scan
Objects scanned: 63462
Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFox (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
0
 
LVL 3

Author Comment

by:cwilliambrown
ID: 22903778
Any thoughts as to the possibility that this malware caused all of the things I mentioned before I close the question?  Thanks.
0
 
LVL 35

Expert Comment

by:torimar
ID: 22903903
Well, I don't think it was the cause of your System Restore not working. There are simply too many occasions where SR fails under normal conditions as well. That's why I generally recommend to disable it and to use EruNT instead.

As to the rest: yes. I do indeed think that it maight have been causing all the other issues you encountered. And it doesn't even have to be especially 'intelligent' for a trojan to alter your hosts file and to monitor/kill running processes. I shoudn't consider this kind of defensive behaviour to be that extraordinary for "successful" malware.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 150 total points
ID: 22903972
>>>Any thoughts as to the possibility that this malware caused all of the things I mentioned <<<

Yes all the things that you mentioned in your first post are the symptoms of these rogue/fake software.
* fake warnings to lure your into buying a product
* microsoft and security sites and anti-spyware forums sites are blocked
* Distabled utilities e.g. System Restore etc.
^ google search redirects, so when you google an anti-spyware forum etc the link won't work (unless you click on the cached page and get the link from there.) Rogue apps comes with a TDSS rootkit that blocks Bleepingcomputer, MBAM, Combofix etc.
^ programs fail to update
Those above are just a few of the common symptoms of these rogue programs, there are more symptoms depending on what other nasties come with them.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 3

Author Comment

by:cwilliambrown
ID: 22906134
I spoke too soon.  I attempted a Google search this morning and was redirected to a page trying to get me to buy software.  I also received a pop-up "warning" that I had spyware installed and needed to scan/buy....."  I was unable to update MBAM but I rescanned and found some of the same entries as before.  I cleaned them but I'm worried they will return just as before.  I'm going to try cleaning with some other utilities and keep my fingers crossed that I get it all.
0
 
LVL 35

Expert Comment

by:torimar
ID: 22906773
You have not yet posted a HijackThis log. Please do.

Also, this may be a good moment to read up on the link I suggested above:
http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/Q_23704670.html
0
 
LVL 3

Author Comment

by:cwilliambrown
ID: 22906991
Here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:08 PM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Documents and Settings\Charles\Local Settings\Temporary Internet Files\Content.IE5\MILTL50T\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Charles\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe (User 'Default user')
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1552B1CD-8CB7-4776-B6CB-16EA461928E5} (Cpuid Control) - http://www.powerleap.ca/Downloads/upgradefinder.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
O24 - Desktop Component 1: (no name) - http://www.steelers.com/

--
End of file - 11176 bytes
0
 
LVL 35

Expert Comment

by:torimar
ID: 22907297
The first thing you should do:

Try to reset yours hosts file following the link posted above by phototronic. A hosts file still corrupted by the malware is a plausible cause for internet address resolution not working correctly.

As to your log file: there is still a "karna.dat" on your system. This is considered nasty indeed, and you can try to let HijackThis fix it for you, or search and delete the file yourself in Safe Mode.
But I really don't know whether it can be blamed for the pertinence of your problems, seeing it is a .dat file without an active executable component that makes use of it.

But let's see what others will say.
0
 
LVL 35

Expert Comment

by:torimar
ID: 22907308
/edit:
must read "phototropic" .... sorry for the typo
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22908869
Yes, the bad entry is still there that MalwareBytes should have removed.
Try Smitfraudfix or SDFix, these tools also remove it, but you need to run these tools in Safe Mode.

Download SmitfraudFix, and select Option 2. Clean (Safe mode recommended)
http://siri.geekstogo.com/SmitfraudFix.php

Or SDFix, (only works in Safe Mode, extract the file and doubleclick on "RunThisBat").
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

How to use SDFix.
http://www.bleepingcomputer.com/forums/topic131299.html

IF, problem persists, we'll then use Combofix.
0
 
LVL 3

Author Comment

by:cwilliambrown
ID: 22913793
OK, I have updated my hosts file per the above link.  I ran SmitFraud in safe mode.  Things "appear" to be ok.  One thing I noticed, was that somewhere along the way, homepage was changed to www.msn.com and my clock was switched to the 24 hour format.  No big deal just curious as to what caused it??  A new HiJackThis log file is attaced.
hijackthis2.log
0
 
LVL 35

Expert Comment

by:torimar
ID: 22913922
No more threats, as far as I can see.

Those two things you noticed are most probably reversions to what the cleaning tools consider to be a default state:
- Isn't msn.com the dafault homepage in IE after installing XP? I can't tell for sure, because I don't use IE - never have, never will. But certainly nothing to worry about.
- The clock in 24 hour format? Well, that may simply mean that at least one of those tools was programmed by a continental European like me ;) For us, that's the normal way of telling the time.
0
 
LVL 3

Author Comment

by:cwilliambrown
ID: 22924592
Thanks everyone.   I think my PC is clean now!  I'm going to divide the points between all of you because each one gave me a part of the solution.  However, I am going to award Torimar more because he was the first to mention SmitFraud.  
0
 
LVL 3

Author Comment

by:cwilliambrown
ID: 22924638
I meant to say Phototropic was the first to mention SmitFraud.
0
 
LVL 3

Author Closing Comment

by:cwilliambrown
ID: 31512298
Thanks!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
A virus remnants 4 66
Possible root kit infection 9 182
Cryptolocker virus infection 6 77
Virus or Ransom ware 6 324
The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away. **********…
Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now